Reputation: 5407
Enclosing the string with double quotes
I am trying to handle text which may contains single quotes and other special char. If it is enclised with single quote, it does not proceed. So I am trying to enclose single quoted string into double quoted string.
I already checked previous threads.
Here is the code:
Check result : http://ideone.com/gWFdUb
<?php
function clean($string) {
eval('$string = "'.$string.'";');
$string = str_replace(' ', ' ', $string); // Replaces all spaces with hyphens.
return preg_replace('/[^A-Za-z0-9 @\-]/', '', $string); // Removes special chars.
}
$d = clean('this was readlly n'ice 'test for@me to') ;
echo $d;
What wrong with eval line?
I am processing user tweets, post for two purpose.
- To store into mysql table. (mysqli_real_escape) did not help
- To process the each string into text for matching and POS(part of speech) tagging.
I get stuck due to such characters in text. So trying to remove it before I start processing.
UPDATE:
Check this, here I am already using mysqli_real_escape_String even the script stops when it reach this
...
mention-179
May Thanks @ShaleMarkets @01Finser @52York @AB_CutRock @AFSPG @AJSmith222 @AlbertaEnergy @andymartin @annemullettamg @APGQ_officiel-440929408564477952-Tue Mar 04 19:18:57 +0000 2014-19:03:572014:03:04201403Adnan Aftab Nizamani0131
mention-180
Thank you for @ShaleMarkets, to promoting, thank you very much for an award. Glad to have been able to help you :)-440897048963850240-Tue Mar 04 17:10:22 +0000 2014-17:03:222014:03:04201403♘-₭ℜi℘-0582
mention-181
@ShaleMarkets https://t.co/aM8liykQqR-440890009273393152-Tue Mar 04 16:42:24 +0000 2014-16:03:242014:03:04201403Bre Burey018
What's wrong in mention-181 so that it got stuck? Here is the code
foreach ($tweets1 as $item)
{
$count = $count + 1;
$text = $item->text;
//echo $userid.$text;
$text_id = $item->id;
$constant = 'mention';
$time = $item->created_at;
//echo $time;
//$dt = new DateTime('@' . strtotime($time));
$dt = \DateTime::createFromFormat('D M d H:i:s e Y', $time);
//var_dump($dt);
$tweet_time = $dt->format('H:m:s');
$tweet_dtm = $dt->format('Y:m:d');
$year = $dt->format('Y');
$month = $dt->format('m');
$user_name = $item->user->name;
// echo $year.$month.$user_name;
$inreplyto = $item->in_reply_to_screen_name;
$rt_count = $item->retweet_count;
$follower_count = $item->user->followers_count;
echo $constant."-".$count."<br>".$text."-".$text_id."-".$time."-".$tweet_time.$tweet_dtm.$year.$month.$user_name.$rt_count.$follower_count."<br>";
echo "<br>";
$con = mysqli_connect('127.0.0.1', 'root', 'root', 'root');
if (mysqli_connect_errno())
{
echo "Failed to connect to MySQL: " . mysqli_connect_error();
return;
}
$text = mysqli_real_escape_string($con,$text);
$insertQuery1 = "INSERT INTO twitter_mention(`username`,`userid`,`tweet_text`,`text_id`,`time`,`month`,`year`,`date`,`user_follower_count`,`rt_count`,`constant`,`in_reply_to`) VALUES ('".$twitteruser."','".$userid."','".$text."','".$text_id."','".$tweet_time."','".$month."','".$year."','".$tweet_dtm."','".$follower_count."','".$rt_count."','".$constant."','".$inreplyto."')";
if (!mysqli_query($con,$insertQuery1))
{
// die('Error: ' . mysqli_error($con));
// echo "error";
}
Upvotes: 1
Views: 3107
Answers (3)
Reputation: 76666
In this answer, I'll try to address your original question:
What wrong with eval line?
Nothing. The second-to-last line is the only line that contains a syntax error. You aren't escaping the single-quotes correctly. Try the following:
$d = clean('this was readlly n\'ice \'test for@me to');
It should now produce this output:
this was readlly nice test for@me to
I'm not sure if this is the expected result. If you update the question to include what exactly you're trying to achieve and why do you care which type of quotes the string was wrapped in, maybe I can help you find a solution.
Upvotes: 4
Reputation: 76666
Always use contextual escaping
You can't generically "clean" data without any context of what it's for. Do not try to build a single function to handle all the possible cases. Just don't. It's pointless. In your function, you're trying to "clean" the string by removing certain characters. You can't clean a string by removing a set of characters. That idea is flawed because you're always going to have to allow the use of some characters that are special in some syntax or the other.
Instead, treat the string according to the context where it's going to be used. For example:
If you are going to use this string in an SQL query, you have to use prepared statements (or
mysqli_real_escape_string()) to properly escape the data.If you're going to output this value in HTML markup, you need to use
htmlspecialchars()to escape the data.If you're going to use it as command-line argument, you need to use
escapeshellcmd()orescapeshellarg().
Further reading:
- Security.SE — What's the best way to sanitize user input in PHP?
- What's the best method for sanitizing user input with PHP?
- Does eliminating dangerous characters avoid SQL-injection?
Upvotes: 4
Reputation: 566
Try this one-
<?php
function clean($string) {
eval("\$string = \"$string\";");
$string = str_replace(' ', ' ', $string); // Replaces all spaces with hyphens.
return preg_replace('/[^a-zA-Z0-9_ %\[\]\.\(\)%&-]/s', '', $string); // Removes special chars.
}
$d = clean("this was readlly n'ice 'test for@me to") ;
echo $d;
?>
The output is- this was readlly nice test forme to
Upvotes: 1
Related Questions
- How to remove double quotes from a string
- Add double quote to a string
- PHP quotes inside quotes
- Surround string with quotes
- Escape single quotes in string containing single and double quotes
- PHP : Using single quotes and double quotes in single string
- Single quote with variable value in a double quote string
- How to use single quotes within double quotes in PHP?
- How can i escape double quotes from a string in php?
- String with Double quoted and Single quoted